From a physician in a small practice: We had set our operating system updates to happen automatically on Sunday nights. But, our receptionist complained that the server ran extremely slowly every Monday morning because the update process hadn’t finished. So we turned off auto-updating a few months ago. Things went better for a while, but now we're noticing things bogging down again, and some applications don't seem to be working right. But, we have anti-virus software...

From a hospital administrator: Our hospital fetal monitoring devices interface with our general HIT system. We had found some viruses that were missed by our previous antivirus software and we replaced it one month ago with a new product. This seemed to be operating properly. Last night, one of our family practitioners admitted a woman in labor. She delivered this morning and was discharged later today with both her and the baby apparently in good condition. There were about 9 hours of monitoring in total. During labor, some fetal heart rate decelerations were observed, but no interventions were required. The monitor automatically saves its data file in a dedicated directory. This morning the new antivirus software identified the fetal monitor file as malware and deleted it. We have not able to recover the lost file, which contains about 7 hours of fetal monitor data. The record of the decelerations is apparently gone for good. Today, we changed the parameters of the antivirus software to ignore the folder where the fetal monitor files are stored and to quarantine malware for 30 days rather than delete it immediately. The physician is concerned that there has been destruction of essential medical records that might be important at some future time.

Here are two stories that involve anti-virus systems, with completely different themes.

If you don’t have firewalls and anti-malware apps on your devices, stop reading now and install them! There’s no more important single thing you can do to protect privacy and security. But, you probably already have these in place – everybody’s heard about viruses. (Although, I bet some of you still don’t have protection on your cell phone and tablet…) The real question is, “How well do these things work?” Unfortunately, the answer is, “imperfectly.”

A continuous war is underway between software developers and hackers. Every day, new applications are brought to market that have inevitable vulnerabilities, which are exploited by criminals or vandals, requiring developers to publish patches and fixes to block known exploits, forcing hackers to find new vulnerabilities, which then must be patched, and so on forever.

There are only two ways to identify malware. One is to look at its code to see if it has a “signature” that has already been identified as malicious. Some hackers actually give their evil programs names like, “Nasty server-killing identity thief number 7.” But, trickier programs have innocent-looking filenames, and have to be inspected line by line for patterns consistent with pathogens. Anti-malware companies accumulate giant catalogs of malicious program code, and scrutinize your files for lines that appear on their blacklists.

The second method of malware detection is through heuristic analysis. This uses algorithms to inspect the behavior of programs executed by the operating system, to see if they’re performing functions they shouldn’t. Both types of malware identification have to operate in real-time, which gives an idea of the processing requirements of these protection programs.

Although published counts of identified “virus definitions” are on the order of 20 million,ii this is a partly misleading figure. There are actually only a few hundred basic species of evil code, which are constantly being updated, re-packaged, disguised or encrypted and re-distributed. But, the analogy to influenza is very close. Last year’s disease can kill you this year, if it mutates just a little.

This situation means that, as with vaccine development, the cure is always a finite number of steps behind the disease. The term “zero day attack” refers to an exploit that starts hurting computers the day it’s published, before defenders are even aware it exists. Your anti-malware software must regularly (daily) update its lists of signatures and heuristics to adapt to past recognized threats, but it can’t anticipate those newly evolved.

Both these reasons mean that, at any given moment, your software could be hit by a threat that a) doesn’t appear on your vendor’s blacklist; b) has disguised itself effectively; c) takes a novel form; or d) performs a malfunction that outwardly looks benign. Anti-malware vendors issue updates to their products frequently, but always retrospectively. Microsoft used to publish patches on an “occasional” basis, but now it distributes them on “Patch Tuesday,” the second Tuesday every month. (This, naturally, has spawned “Exploit Wednesday,” after villains have had a chance to examine the new code for points of attack.)

Competing vendors use different combinations of signatures and heuristics to achieve the best balance of sensitivity and specificity they can. But, no product recognizes 100% of threats, and different products find different ones. Furthermore, although tempting, it’s not advisable to layer products in combination, because they are apt to try to remove each other. (Antivirus-antivirus interaction.)

A proper security plan uses multiple strategies for defense besides malware detection. For example, firewalls help prevent unauthorized systems from reaching into critical applications. Restricting the privileges of users and applications tends to limit the spread of unintended passengers. I.T. security is a full-fledged profession for good reasons.

Immune Deficiency
The first case above points out a common mistake in security management – disabling a safety system. Like unplugging your smoke detector, turning off automatic updates to your operating system opens a perceptible hole in your defenses. The reason your vendor issues patches is because a vulnerability, if not an actual exploit, has been found to affect your current system. The patch only works if you apply it before the attack arrives. On “day zero” your only protection is being lost in the crowd: Hopefully it will take a while for the plague to reach your town. But, delaying the update makes you immune deficient. It’s been shown that a “virgin” computer (newly installed operating system but not yet patched with current updates) will become invaded within seconds of connecting to the Internet. At that point the OS may be irreparable, and have to be wiped and re-installed.

The office’s current slowdown could be due to bad things going on in the background. I’d advise they conduct an immediate malware investigation.

Autoimmune Reaction
The second case illustrates a much subtler risk that I haven’t seen widely reported in the patient safety literature. Falsely recognizing (and deleting) innocent files is a problem of “specificity.” In this case, the new software created the exactly analogy of an auto-immune reaction. A medal should go to the I.T. staff who figured out what happened and applied the exactly correct remedy within one day. Imagine if fetal monitor strips had been regularly deleted for months…

Remember Newton’s Law of Programming: “For every function, there is an equal and opposite malfunction.”

EHR-centric systems are emerging as important pharmacovigilance tools which may prove crucial to the advancement of adverse drug event (ADE) reporting, early warning systems and safety signal detection. Chaired by Dr. Edward Fotsch, CEO of PDR Network, and featuring senior FDA representatives, this presentation will focus on the evolution of workflow from a fragmented approach into one that is integrated and cohesive.

The newsletter's Editor-in-Chief, Michael Victoroff, M.D., is a nationally recognized expert on patient safety, medical informatics, bioethics and EHRs, and has published numerous articles on medical computing, EHR safety and medical errors. Dr. Victoroff serves as a Risk Management Consultant for COPIC; is a member of ASTM Subcommittee E31 on Healthcare Informatics, and the Steering Committee on Serious Reportable Events of the National Quality Forum; is Chief Medical Officer for both Parity Computing and Lynxcare; and is an Associate Clinical Professor at the University of Colorado School of Medicine.